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FOREWORD 


CSC-STD-003-85 
Library  No.  S-226,727 


This  publication.  Computer  Security  Reguirements-Guidancg  for  Applying  the 
Department  of  Defense  Trusted  Computer  System  Evaluation  Criteria  in  Specmc 
Environments,  is  being  issued  by  the  DoD  Computer^  Security  ^Center  ^(DoDCSC) 
under  the  authority  of  and  in  accordance  with  DoD  Directive  5215.1,  Computer 
Security  Evaluation  Center."  It  provides  guidance  for  specifying  computer  security 
requirements  for  the  Department  of  Defense  (DoD)  by  identifying  the  minimum 
class  of  system  required  for  a  given  risk  index.  System  classes  are  those  defined  by 
CSC-STD-001-83,  Department  of  Defense  Trusted  Computer  System  Evaluation 
Criteria  15  August  1983.  Risk  index  is  defined  as  the  disparity  between  the 
minimum  clearance  or  authorization  of  system  users  and  the  maximum  sensitivity 
of  data  processed  by  the  system.  This  guidance  is  intended  to  be  used  in  establishing 
minimum  computer  security  requirements  for  the  processing  and/or  storage  and 
retrieval  of  sensitive  or  classified  information  by  the  Department  of  Defense 
whenever  automatic  data  processing  systems  are  employed.  Point  of  contact 
concerning  this  publication  is  the  Office  of  Standards  and  Products,  Attention: 
Chief,  Computer  Security  Standards. 


DoD  Computer  Security  Center 


25  June  1985 
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1.0  INTRODUCTION 


This  document  establishes  computer  security  requirements  for  the  Department  of 
Defense  (DoD)  by  identifying  the  minimum  class  of  system  required  for  a  given 
risk  index.  The  classes  are  those  defined  by  CSC-STD-001-83,  Department_of 
Defense  Trusted  Computer  System  Evaluation  Criteria  (henceforth  referred  to  as 
the  Criteria).(l)  A  system’s  risk  index  is  defined  as  the  disparity  between  the 
minimum  clearance  or  authorization  of  system  users  and  the  maximum 
sensitivity  of  data  processed  by  the  system.l 


The  recommendations  in  this  document  are  those  that  the  DoD  Computer 
Security  Center  (DoDCSC)  believes  to  be  the  minimum  adequate  to  provide  an 
acceptable  level  of  security.  These  recommendations  are  made  in  part  due  to  the 
fact  that  there  is  no  comprehensive  policy  in  effect  today  which  covers  this  area  of 
computer  security.  Where  current  policy  does  exist,  however,  this  document  shall 
not  be  taken  to  supersede  or  override  that  policy,  nor  shall  it  be  taken  to  provide 
exemption  from  any  policy  covering  areas  of  security  not  addressed  in  this 

document. 


Section  2  of  this  document  provides  definitions  of  terms  used.  Risk  index 
computation  is  described  in  Section  3,  while  Section  4  presents  the  computer 
security  requirements. 


iSince  a  clearance  implicitly  encompasses  lower  clearance  levels  (e.g.,  a  Secret- 
cleared  user  has  an  implicit  Confidential  clearance),  the  phrase  minimum 
clearance  of  the  system  users”  is  more  accurately  stated  as  maximum  clearance 
of  the  least  cleared  system  user."  For  simplicity,  this  document  uses  the  former 
phrase. 
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2.0  DEFINITIONS 

Application 

Those  portions  of  a  system,  including  portions  of  the  operating  system,  that  are 
not  responsible  for  enforcing  the  system’s  security  policy. 

Category 

A  grouping  of  classified  or  unclassified  but  sensitive  information  to  which  an 
additional  restrictive  label  is  applied  to  signify  that  personnel  are  granted 
access  to  the  information  only  if  they  have  appropriate  authorization  (e.g., 
proprietary  information  (PROPIN),  information  that  is  Not  Releasable  to 
Foreign  Nationals  (NOFORN),  compartmented  information,  information 
revealing  sensitive  intelligence  sources  and  methods  (WNINTEL)). 

Closed  security  environment 

An  environment  in  which  both  of  the  following  conditions  hold  true: 

1.  Application  developers  (including  maintainers)  have  sufficient  clearances 
and  authorizations  to  provide  acceptable  presumption  that  they  have  not 
introduced  malicious  logic.  Sufficient  clearance  is  defined  as  follows: 
where  the  maximum  classification  of  the  data  to  be  processed  is 
Confidential  or  less,  developers  are  cleared  and  authorized  to  the  same 
level  as  the  most  sensitive  data;  where  the  maximum  classification  of  the 
data  to  be  processed  is  Secret  or  above,  developers  have  at  least  a  Secret 
clearance. 

2.  Configuration  control  provides  sufficient  assurance  that  applications  are 
protected  against  the  introduction  of  malicious  logic  prior  to  and  during 
the  operation  of  system  applications. 

Compartmented  security  mode 

The  mode  of  operation  which  allows  the  system  to  process  two  or  more  types  of 
compartmented  information  (information  requiring  a  special  authorization)  or 
any  one  type  of  compartmented  information  with  other  than  compartmented 
information.  In  this  mode,  all  system  users  need  not  be  cleared  for  all  types  of 
compartmented  information  processed,  but  must  be  fully  cleared  for  at  least 
Top  Secret  information  for  unescorted  access  to  the  computer. 

Configuration  control 

Management  of  changes  made  to  a  system’s  hardware,  software,  firmware,  and 
documentation  throughout  the  development  and  operational  life  of  the  system. 
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Controlled  security  mode 

The  mode  of  operation  that  is  a  type  of  multilevel  security  mode  in  which  a 
more  limited  amount  of  trust  is  placed  in  the  hardware/software  base  of  the 
system,  with  resultant  restrictions  on  the  classification  levels  and  clearance 
levels  that  may  be  supported. 

Dedicated  security  mode 

The  mode  of  operation  in  which  the  system  is  specifically  and  exclusively 
dedicated  to  and  controlled  for  the  processing  of  one  particular  type  or 
classification  of  information,  either  for  full-time  operation  or  for  a  specified 
period  of  time. 

Environment 

The  aggregate  of  external  circumstances,  conditions,  and  events  that  affect  the 
development,  operation,  and  maintenance  of  a  system. 

Malicious  logic 

Hardware,  software,  or  firmware  that  is  intentionally  included  in  a  system  for 
the  purpose  of  causing  loss  or  harm  (e.g.,  Trojan  horses). 

Multilevel  security  mode 

The  mode  of  operation  which  allows  two  or  more  classification  levels  of 
information  to  be  processed  simultaneously  within  the  same  system  when  some 
users  are  not  cleared  for  all  levels  of  information  present. 

Open  security  environment 

An  environment  in  which  either  of  the  following  conditions  holds  true: 

1.  Application  developers  (including  maintainers)  do  not  have  sufficient 
Clearance  (or  authorization)  to  provide  an  acceptable  presumption  that 
they  have  not  introduced  malicious  logic.  (See  "Closed  security 
environment"  for  definition  of  sufficient  clearance.) 

2.  Configuration  control  does  not  provide  sufficient  assurance  that 
applications  are  protected  against  the  introduction  of  malicious  logic  prior 
to  and  during  the  operation  of  system  applications. 

Risk  index 

The  disparity  between  the  minimum  clearance  or  authorization  of  system  users 
and  the  maximum  sensitivity  (e.g.,  classification  and  categories)  of  data 
processed  by  a  system. 
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Sensitive  information 

Information  that,  as  determined  by  a  competent  authority,  must  be  protected 
because  its  unauthorized  disclosure,  alteration,  loss,  or  destruction  will  at  least 
cause  perceivable  damage  to  someone  or  something. 

System 

An  assembly  of  computer  hardware,  software,  and  firmware  configured  for  the 
purpose  of  classifying,  sorting,  calculating,  computing,  summarizing, 
transmitting  and  receiving,  storing,  and  retrieving  data  with  a  minimum  of 
human  intervention. 

System  high  security  mode 

The  mode  of  operation  in  which  system  hardware/software  is  only  trusted  to 
provide  need-to-know  protection  between  users.  In  this  mode,  the  entire 
system,  to  include  all  components  electrically  and/or  physically  connected, 
must  operate  with  security  measures  commensurate  with  the  highest 
classification  and  sensitivity  of  the  information  being  processed  and/or  stored. 
All  system  users  in  this  environment  must  possess  clearances  and 
authorizations  for  all  information  contained  in  the  system.  All  system  output 
must  be  clearly  marked  with  the  highest  classification  and  all  system  caveats, 
until  the  information  has  been  reviewed  manually  by  an  authorized  individual 
to  ensure  appropriate  classifications  and  caveats  have  been  affixed. 

System  users 

Those  individuals  with  direct  connections  to  the  system,  and  also  those 
individuals  without  direct  connections  who  receive  output  or  generate  input 
that  is  not  reliably  reviewed  for  classification  by  a  responsible  individual.  The 
clearance  of  system  users  is  used  in  the  calculation  of  risk  index. 

For  additional  definitions,  refer  to  the  Glossary  of  The  Criteria.!1) 


237-349  0-89-2 
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3.0  RISK  INDEX  COMPUTATION 

The  initial  step  in  determining  the  minimum  evaluation  class  required  for  a  system 
is  to  determine  the  system’s  risk  index.  The  risk  index  for  a  system  depends  on  the 
rating  associated  with  the  system’s  minimum  user  clearance  (Rmin)  taken  from 
Table  1  and  the  rating  associated  with  the  system’s  maximum  data  sensitivity 
(Rmax)  taken  from  Table  2.  The  risk  index  is  computed  as  follows: 

Case  a.  If  Rmin  is  less  than  Rmax,  then  the  risk  index  is  determined  by 
subtracting  Rmin  from  Rmax-1 

Risk  Index  =  Umax  —  Rmin 

Case  b.  If  Rmin  is  greater  than  or  equal  to  Rmax,  then 

jl,  if  there  are  categories  on  the  system  to  which  some  users  are 
not  authorized  access 

0,  otherwise 


IThere  is  one  anomalous  value  that  results  because  there  are  two  "types"  of  Top 
Secret  clearance  and  only  one  "type"  of  Top  Secret  data.  When  the  minimum  user 
clearance  is  TS/BI  and  the  maximum  data  sensitivity  is  Top  Secret  without 
categories,  then  the  risk  index  is  0  (rather  than  the  value  1,  which  would  result  from 
a  straight  application  of  the  formula) 
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TABLE  1 

RATING  SCALE  FOR  MINIMUM  USER  CLEARANCE! 


MINIMUM  USER  CLEARANCE 

RATING 

(Emin) 

Uncleared  (U) 

0 

Not  Cleared  but  Authorized  Access  to  Sensitive  Unclassified 
Information  (N) 

1 

Confidential  (C) 

2 

Secret  (S) 

3 

Top  Secret  (TS)/Current  Background  Investigation  (BI) 

4 

Top  Secret  (TS)/Current  Special  Background  Investigation  (SBI) 

5 

One  Category  (1C) 

6 

Multiple  Categories  (MC) 

7 

iThe  following  clearances  are  as  defined  in  DIS  Manual  20-1(2):  Confidential, 
Secret,  Top  Secret/Current  Background  Investigation,  Top  Secret/Current  Special 
Background  Investigation. 


TABLE  2 

RATING  SCALE  FOR  MAXIMUM  DATA  SENSITIVITY 
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MAXIMUM  DATA 
SENSITIVITY 
RATINGS2 
WITHOUT 
CATEGORIES 
(Rmax) 

RATING 

(Rmax) 

MAXIMUM  DATA  SENSITIVITY  WITH 
CATEGORIES! 

Unclassified  (U) 

0 

Not  Applicable3 

Not  Classified  but 
Sensitive4 

1 

N  With  One  or  More  Categories 

2 

Confidential  (C) 

2 

C  With  One  or  More  Categories 

3 

Secret (S) 

3 

S  With  One  or  More  Categories  With  No 
More  Than  One  Category  Containing 
Secret  Data 

S  With  Two  or  More  Categories  Containing 
Secret  Data 

4 

5 

Top  Secret  (TS) 

55 

TS  With  One  or  More  Categories  With  No 
More  Than  One  Category  Containing 
Secret  or  Top  Secret  Data 

TS  With  Two  or  More  Categories 
Containing  Secret  or  Top  Secret  Data 

6 

7 

iThe  only  categories  of  concern  are  those  for  which  some  users  are  not  authorized  access.  When 
counting  the  number  of  categories,  count  all  categories  regardless  of  the  sensitivity  level  associated 
with  the  data.  If  a  category  is  associated  with  more  than  one  sensitivity  level,  it  is  only  counted  at 
the  highest  level. 

2  Where  the  number  of  categories  is  large  or  where  a  highly  sensitive  category  is  involved,  a  higher 
rating  might  be  warranted. 

3Since  categories  are  sensitive  and  unclassified  data  is  not,  unclassified  data  by  definition  cannot 
contain  categories. 

^Examples  of  N  data  include  financial,  proprietary,  privacy,  and  mission  sensitive  data.  In  some 
situations  (e.g.,  those  involving  extremely  large  financial  sums  or  critical  mission  sensitive  data),  a 
higher  rating  may  be  warranted.  The  table  prescribes  minimum  ratings. 

5The  rating  increment  between  the  Secret  and  Top  Secret  data  sensitivity  levels  is  greater  than  the 
increment  between  other  adjacent  levels.  This  difference  derives  from  the  fact  that  the  loss  of  Top 
Secret  data  causes  exceptionally  grave  damage  to  the  national  security,  whereas  the  loss  of  Secret 
data  causes  only  serious  damage. 


a. 


* 
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4.0  COMPUTER  SECURITY  REQUIREMENTS 

Table  3  identifies  the  minimum  evaluation  class  appropriate  for  systems  based  on 
the  risk  index  computed  in  Section  3.  The  classes  identified  are  those  from  The 
Criteria.!  1)  A  risk  index  of  0  encompasses  those  systems  operating  in  either  system 
high  or  dedicated  security  mode.  Risk  indices  of  1  through  7  encompass  those 
systems  operating  in  multilevel,  controlled,  compartmented,  or  the  Navy’s  limited 
access  security  mode;  that  is,  those  systems  in  which  not  all  users  are  fully  cleared  or 
authorized  access  to  all  sensitive  or  classified  data  being  processed  and/or  stored  in 
the  system.  In  situations  where  the  local  environment  indicates  that  additional  risk 
factors  are  present,  a  system  of  a  higher  evaluation  class  may  be  required. 
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TABLE  3 

COMPUTER  SECURITY  REQUIREMENTS 


RISK  INDEX 

SECURITY  OPERATING  MODE 

MINIMUM 
CRITERIA  CLASS 
FOR OPEN 
ENVIRONMENTS4 

MINIMUM 
CRITERIA  CLASS 
FOR  CLOSED 
ENVIRONMENTS4 

0 

Dedicated 

No  Prescribed 
Minimuml 

No  Prescribed 
Minimuml 

0 

System  High 

C22 

C22 

1 

Limited  Access,  Controlled, 
Compartmented,  Multilevel 

B13 

B13 

2 

Limited  Access,  Controlled, 
Compartmented,  Multilevel 

B2 

B2 

3 

Controlled,  Multilevel 

B3 

B2 

4 

Multilevel 

A1 

B3 

5 

Multilevel 

* 

A1 

6 

Multilevel 

* 

* 

7 

Multilevel 

* 

* 

1  Although  there  is  no  prescribed  minimum  class,  the  integrity  and  denial  of  service 
requirements  of  many  systems  warrant  at  least  class  Cl  protection. 

2If  the  system  processes  sensitive  or  classified  data,  at  least  a  class  C2  system  is 
required.  If  the  system  does  not  process  sensitive  or  classified  data,  a  class  Cl 
system  is  sufficient. 

3Where  a  system  processes  classified  or  compartmented  data  and  some  users  do  not 
have  at  least  a  Confidential  clearance,  or  when  there  are  more  than  two  types  of 
compartmented  information  being  processed,  at  least  a  class  B2  system  is  required. 

4The  asterisk  (*)  indicates  that  computer  protection  for  environments  with  that 
risk  index  is  considered  to  be  beyond  the  state  of  current  computer  security 
technology.  Such  environments  must  augment  technical  protection  with  physical, 
personnel,  and/or  administrative  security  solutions. 
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